Skip to main content

Shibby Tomato CVE-2026-10065

| EUVDEUVD-2026-33331 HIGH
Buffer Overflow (CWE-119)
2026-05-29 cna@vuldb.com GHSA-j6r3-mvc3-qhh4
8.7
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
8.7 HIGH
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

1
Analysis Generated
May 29, 2026 - 16:45 vuln.today

DescriptionCVE.org

A weakness has been identified in Shibby Tomato 1.28. This vulnerability affects the function get_ups_field of the file tomatodata.cgi. Executing a manipulation of the argument Date can lead to stack-based buffer overflow. It is possible to launch the attack remotely. This project is superseded by FreshTomato. This vulnerability only affects products that are no longer supported by the maintainer.

AnalysisAI

Stack-based buffer overflow in Shibby Tomato 1.28 router firmware allows authenticated remote attackers to corrupt memory and likely execute code by submitting a crafted Date argument to the get_ups_field function in tomatodata.cgi. The project is end-of-life and superseded by FreshTomato, so no fix will be issued by the original maintainer. No public exploit identified at time of analysis and the issue is not listed in CISA KEV, but the CVSS 4.0 score of 8.7 reflects high confidentiality, integrity, and availability impact over the network with low complexity.

Technical ContextAI

Shibby Tomato is a community-maintained fork of the Tomato router firmware (Linux/BusyBox-based) that exposes a web management interface served by CGI binaries. The affected component, tomatodata.cgi, generates dynamic status data for the router admin UI, and its get_ups_field handler parses a Date parameter without enforcing destination buffer bounds. This is a classic CWE-119 stack-based buffer overflow, where attacker-controlled input written into a fixed-size stack buffer can overwrite the saved return address or adjacent variables, enabling control-flow hijack on architectures and builds that lack stack canaries or ASLR - both commonly absent on embedded MIPS/ARM router builds of this era.

RemediationAI

No vendor-released patch identified at time of analysis, as Shibby Tomato is no longer maintained and the project has been superseded by FreshTomato; the primary recommended action is to migrate affected devices to FreshTomato or another actively maintained firmware (e.g., OpenWrt) after confirming the get_ups_field code path has been remediated or removed in the replacement. As compensating controls until migration, restrict access to the router web administration interface to trusted LAN management hosts only and ensure remote/WAN administration is disabled, which blocks the network attack vector at the cost of losing remote management; additionally, rotate and harden admin credentials since exploitation requires low privileges (PR:L), and consider blocking or proxying requests to tomatodata.cgi at an upstream firewall if the device is behind one. Track disclosure at https://vuldb.com/vuln/367151 and https://gitee.com/Fengyi-Wang/CVE/issues/IJK7BC for any community patches.

Share

CVE-2026-10065 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy